We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Lessons from the Bangladesh Central Bank Heist

By now, you’ve probably heard about the massive cyber attack that hit Bangladesh’s central bank last month, resulting in the loss of $81 million through fraudulent transfers to accounts in the Philippines. Although the size and scale of this cyber heist was unprecedented, cybercrime targeting ACH (Automated Clearing House) financial transactions is nothing new. Financially motivated hackers regularly target ACH systems.

But the Bangladesh attack was noteworthy because it called attention to the Society for Worldwide Interbank Financial Telecommunication or SWIFT, the financial messaging services system that many of the world’s banks rely on to coordinate and communicate about automated financial transfers. According to its website, SWIFT’s messaging services are used by more than 11,000 financial institutions in more than 200 countries. The system is designed to enable “secure, seamless and automated financial communication between users” via a standardized protocol.

This attack is a reminder of the persistent threat presented by hackers attempting to access automated systems that can authorize immediate transfers of huge sums of money. The incident also highlights the ever-growing need for heightened security and the need for strong security protocols throughout an organization. As the saying goes, you’re only as safe as your weakest link, and that was indeed the case for the Bangladesh central bank. The ongoing investigation into the Bangladesh bank’s system and procedures indicates that the bank’s internal SWIFT system may have been made more vulnerable after it was linked to a common payment platform meant for the country’s commercial banks. Again, it’s a reminder that any device linked to your computer system has the potential to create a new vulnerability.

And financial regulators have reported that “the financial industry’s reliance on third-party service providers for critical banking and insurance functions [is] a continuing challenge” to cybersecurity. For many companies, these third parties include dozens of vendors and business partners. As you’re thinking about your organization’s cybersecurity and controls, it’s important to also evaluate the risks posed by third parties with access to your systems.

Compare jurisdictions: Data Security & Cybercrime

"Lexology is one of the few newsfeeds that I do actually look over as and when it comes in - the information is current; has good descriptive headings so I can see quickly what the articles relate to and is not too long."